FTC Gets Serious About Collecting CRM Data From Kids Using Mobile Apps

Written by Frank Hayes
August 17th, 2011

When it comes to CRM data, what’s perfectly OK for retailers to collect from adults using a mobile app just got a lot trickier when kids are involved. On Monday (Aug. 15), the Federal Trade Commission announced that an iPhone app developer was fined $50,000 for collecting 30,000 E-mail addresses from users who might (or might not) be children—the first time the FTC has gotten involved in an app-related case. Even more daunting, the settlement required the firm to “delete all personal information collected in violation of the Rule.”

The money is painful enough, but at least that is easily doable. Once this type of information is gathered, it is copied in potentially dozens of places (marketing, a third-party E-mail service, backup disks, thumb drives that employees take home, different spreadsheets for analyzing different projects, etc.) and subsidiary information (the fruit of the poisonous tree, as they’d say in legal circles) may be in far more. An FTC order that comes in six months after the fact may be all-but-impossible to fully comply with.

The developer, Broken Thumbs Apps, isn’t a retailer. But the case sets a standard for retailers whose apps may be used by children younger than 13: Offering underage customers kid-friendly activities puts you squarely in the FTC’s sights unless you get parents’ permission for every child’s information—even if the information will only be used internally.

The apps in question were definitely aimed at sub-teenage kids, who fall under the Children’s Online Privacy Protection Act (COPPA) of 1998. According to the FTC’s complaint, more than 59,000 Broken Thumbs apps aimed at “younger girls and nostalgic adults” were downloaded from Apple’s App Store since early 2010, including “Emily’s Girl World” and “Emily’s Dress Up & Shop app.”

Those apps invited kids to send E-mails to “Emily,” post “shout-outs” to friends and family members, ask Emily’s advice, share embarrassing “blush” stories, submit art and pet photographs, and send in inspirational quotes, in addition to registering to submit comments. Only about 600 users registered, but Broken Thumbs was storing more than 30,000 E-mails to “Emily.”

The FTC didn’t suggest that Broken Thumbs Apps was planning to use those E-mail addresses improperly. But just the fact that the company collected those addresses was enough to violate COPPA and get Emily’s creators in trouble with the FTC. The problem: No notice online of what information the company collected from children and how the information would be used, and no parental consent before any personal information was collected.

That was sloppy on the part of Broken Thumbs Apps (whose official corporate name is W3 Innovations, but we like Broken Thumbs better). Although the company knew it was marketing to young kids, it apparently didn’t know the tight restrictions on marketing to those kids online—and it paid the price.

Think you’re not in a similar position just because your phone apps aren’t intended for children younger than 13? You’re too optimistic—especially if you have apps aimed at teenagers. Those are exactly the apps that some pre-teens are likely to want. You can’t afford to assume that any CRM data you collect with those apps is going to be pre-teen clean.

Unfortunately, there’s also no obvious safe harbor for collecting that CRM data, and no way of knowing which good-faith efforts will be enough. Asking for an age or birth date may be enough to keep you out of trouble with the FTC—or maybe it won’t be. COPPA requires parental notification and consent for under-13 users, but playing it safe by requiring that from all users is an almost perfect way to drive teenagers away.

It’s probably going to take a few more fines before we have any clear idea of what is safe ground and what will attract the FTC’s attention. But now that the FTC has discovered apps, those fines are surely coming.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.